Ever met MBRLockers? Yes, those nasty pieces of malware which replace your Master Boot Record with malicious code and ransom you. Good news here, most of them just backup your original MBR somewhere and put one asking for ransom in its place. Today I’m going to tell you how to debug these things easily for ehmm, scientific purposes.
What you need to debug MBR
Preparing the emulator
First of all you need to prepare a disk image for Bochs. You can do so by going to installation directory and running
bximage. All the default settings will do.
Notice that a part of configuration was copied into your clipboard and a file
c.img should have appeared in the Bochs directory. You can put it anywhere you like or just run everything from this directory.
Also notice how a configuration file was mentioned. Go and make one, call it
bochsrc. Put the following text in it:
display_library: win32, options="gui_debug" romimage: file=$BXSHARE/BIOS-bochs-latest vgaromimage: file=$BXSHARE/VGABIOS-lgpl-latest megs: 16 ata0: enabled=1, ioaddr1=0x1f0, ioaddr2=0x3f0, irq=14 ata0-master: type=disk, path="c.img", mode=flat, cylinders=20, heads=16, spt=63 boot: disk
If you made any changes to the default settings when creating a disk image, you need to replace line 6 with contents of your clipboard now.
Preparing the Master Boot Record
At this point you have a disk image for the virtual machine, but it does not contain the malicious MBR to debug. You can access your current MBR as well as the MBR inside the image through HxD’s Extras menu as shown below.
For your current MBR, choose
Open disk->Physical Disks->Hard Disk 1. For the Bochs disk image, choose
Open disk image. Now you just simply copy and paste the MBR you need into the beginning of the disk image. Remember, the MBR has to be exactly 512 bytes long and end with
0x55AA. Save the changes by pressing
Debugging with Bochs
Fire up the command prompt by pressing
cd to the directory where you’ve saved the configuration file and the disk image. If this directory is not the Bochs installation directory, don’t forget to execute
Now you are ready to start debugging. Execute the following to start Bochs Enhanced Debugger:
bochsdbg -q -f bochsrc
If everything goes without a hitch, you should be presented with 3 windows: Console, Display and the Debugger paused at the very first instruction of Bochs BIOS. At the very bottom you can enter
lb 0x7c00 to set a breakpoint on the MBR and press
Continue. You will see stuff happening in the Display window and end up with the debugger paused at the Master Boot Record.
From here you should already have an idea on how to continue: you’ve just set a breakpoint and continued execution. To step instructions, you can either press
Step or enter
s in the console at the bottom of the Debugger window. You can display the stack on the right by pressing
F2, or any location in memory by pressing
F7. The registers are on the left and the code is in the middle. You can see CPU information and flag states in the status bar.
For more information on using Bochs debugger, visit this page.